Go Insecure Tls Skip Verification
Description
Detects when TLS certificate verification is disabled in Go applications by identifying unsafe TLS configurations. This is a critical security vulnerability as it bypasses certificate validation, making HTTPS connections susceptible to man-in-the-middle attacks and exposing sensitive data.
Detection Strategy
• Check if the crypto/tls package is imported in the Go source code
• Look for instances where a tls.Config object is created
• Examine the configuration parameters to identify if certificate verification is being disabled through unsafe settings
• Report a vulnerability when tls.Config is configured to skip certificate verification
Vulnerable code example
package main
import (
"crypto/tls"
"net/http"
)
func createInsecureClient() *http.Client {...✅ Secure code example
package main
import (
"crypto/tls"
"net/http"
)
func createSecureClient() *http.Client {...Search for vulnerabilities in your apps for free with Fluid Attacks' automated security testing! Start your 21-day free trial and discover the benefits of the Continuous Hacking Essential plan. If you prefer the Advanced plan, which includes the expertise of Fluid Attacks' hacking team, fill out this contact form.